https://support.office.com/en-gb/article/Apply-Information-Rights-Management-to-a-list-or-library-3b...

In the above article it mentions:

• Helps to prevent an unauthorized viewer from viewing the content if it is sent in e-mail after it is downloaded from the server

• Restricts access to content to a specified period of time, after which users must confirm their credentials and download the content again

So unauthorised users still cannot view the document. 

It means that the license (key) they get to open the file is time-bound and they need to periodically authenticate to O365 in order to renew it. The default is 30 days.

If you have played with the RMS sharing app, it has a similar option - "Allow me to instantly revoke access to these documents". In other words, it's "online" protection, requires the user to connect to the service every time they try to open the document.